[00:05.000 --> 00:10.500]  Hi, welcome to Election Security Part Two, The Infrastructure Strikes Back. My name is Amelie
[00:10.500 --> 00:16.780]  Coran. I will be your panel moderator for this session here. Little did we suspect that this
[00:16.780 --> 00:22.020]  set of panelists would be back together six months later to discuss where we are versus where we were
[00:22.020 --> 00:26.640]  when it came to election security in the upcoming November general election. Since then, to say it
[00:26.640 --> 00:31.680]  lightly, things have gone off the rails, given that you now see us via video in our pandemic
[00:31.680 --> 00:37.360]  past. We've had a highly contentious Democratic primary season, some technical glitches supporting
[00:37.360 --> 00:41.660]  such primaries, court cases regarding in-person voting, and enough various disinformation
[00:41.660 --> 00:46.360]  campaigns to last another election. One thing that hasn't changed is the lineup of our esteemed
[00:46.360 --> 00:52.960]  panel from ShmoopCon. And tonight we have Kimber Dowsett, Casey John Ellis, Jack Cable, and Todd
[00:52.960 --> 00:59.980]  Beardsley. I will then let them introduce themselves with a short intro. I am Kimber. I am
[00:59.980 --> 01:05.700]  the director of security engineering at Trust. That's Trust.Works, a software infrastructure
[01:05.700 --> 01:12.780]  company based out of San Francisco that works with both the public and private sectors. Hi,
[01:12.780 --> 01:18.960]  my name is Casey Ellis. I'm the founder, chairman, and CTO of BugCrowd. We run crowdsource security
[01:19.500 --> 01:25.640]  as a service programs, including vuln disclosure, bug bounties, crowdsource pentest, and so on.
[01:25.640 --> 01:31.200]  And yeah, great to be... unusual to be talking about this with all the additional content,
[01:31.200 --> 01:36.460]  but very good to be talking about it again. Everyone, my name is Jack Cable. I am an election
[01:36.460 --> 01:42.140]  security technical advisor for the U.S. Cybersecurity and Infrastructure Security Agency,
[01:42.140 --> 01:48.540]  which is essentially the nation's risk advisors. We advise states and localities on the risks
[01:48.540 --> 01:53.880]  associated with different technologies, provide cybersecurity assessment services, so that they
[01:53.880 --> 02:00.400]  can make the best decisions to have a safe and secure election. Besides my work at CISA,
[02:00.400 --> 02:06.180]  I am a student at Stanford and a security researcher. Cool. And hi, I'm Todd Beardsley.
[02:06.180 --> 02:13.320]  I'm a director of research at Rapid7, a U.S.-based cybersecurity company. I personally care a lot
[02:13.320 --> 02:21.560]  about elections. I am usually an election judge in Texas, and I have a deep background in hacking,
[02:21.560 --> 02:27.620]  offensive security, research, vulnerability analysis, stuff like that. And congrats to
[02:27.620 --> 02:35.340]  Jack for the level up since our last meeting. He gets a bunch of power-up points on that one.
[02:35.340 --> 02:41.380]  That's awesome. So we're going to break this down into two sections, I believe, unlike last time,
[02:41.380 --> 02:47.900]  but mainly kind of a catch-up, a first section here about what has happened since February. So
[02:47.900 --> 02:53.500]  obviously a section B, we're coming up on about 90 days until the general election,
[02:53.500 --> 02:59.000]  and what we can do between now and then, since the timeline is definitely shorter,
[02:59.000 --> 03:05.160]  but also what kind of activities are going to be carried forward from them to the next election,
[03:05.160 --> 03:11.340]  next primaries, or just in general, lessons kind of learned. So with that, we have ourselves a
[03:11.340 --> 03:15.860]  first question here. So we find ourselves here again after six months, and there's been a lot
[03:15.860 --> 03:20.440]  going on that we didn't cover back in February. However, regarding one of the last takeaways from
[03:20.440 --> 03:24.740]  closing that panel, we noted it was important to engage your local board of elections. And with
[03:24.740 --> 03:36.160]  that, where do we stand? Wow. Well, let me start this off. I engage with my local board of elections
[03:36.160 --> 03:42.140]  by being an election judge. I ran a polling place not too long ago about, we're recording this on
[03:42.720 --> 03:50.380]  end of July. So for me in this time stream, this is about three weeks ago, there was a
[03:50.380 --> 03:59.780]  special election and a runoff election combined here in Texas. It was pretty fun.
[03:59.780 --> 04:05.900]  I never knew that, like, wiping down voting, you know, polling places would be so rewarding.
[04:05.900 --> 04:10.900]  I got to feel like I was battling COVID, like, every five minutes, you know, helping people out,
[04:10.900 --> 04:18.900]  and so like, and for that, at least for me, like, I felt like I was really, I was doing something.
[04:18.900 --> 04:25.100]  I did notice through training and then on election day, you know, the demographics have
[04:26.140 --> 04:32.840]  switched over quite a bit on who is working in the polls. Like, it is very common normally to
[04:32.840 --> 04:37.880]  see a lot of retirees and just, you know, older people who are there to help out and help out
[04:37.880 --> 04:44.500]  their communities in this way. I was not the youngest person at this polling place, which was
[04:44.500 --> 04:52.700]  first for me. So if you have the opportunity and the inclination, and don't mind doing a
[04:52.700 --> 04:58.640]  whole lot of cleaning all day long, you know, maybe volunteer to work in a polling place come
[04:58.640 --> 05:05.380]  November. Anybody else? Yeah, I mean, what has happened since then, I think, you know, in terms
[05:05.380 --> 05:13.320]  of rocking up and helping out, it's fair to say that any intention to do that would have been a
[05:13.320 --> 05:19.860]  little distracted by, you know, March and so on. But I think, you know, Todd's example of
[05:19.860 --> 05:26.060]  just doing what's needed, especially with the pandemic and, you know, the changes in
[05:26.060 --> 05:30.240]  operational considerations around actually running an election, still true. It's even more true now,
[05:30.240 --> 05:38.400]  than it was. As the token non-citizen on the talk, I mean, this is even more foreign
[05:38.400 --> 05:43.640]  interference now than it was when we gave the talk, because I'm actually in Sydney at the moment.
[05:44.760 --> 05:48.880]  But, you know, part of what we've been working on, what I've been working on, and a bunch of
[05:48.880 --> 05:55.100]  other people have been working on is, you know, standardization of, like, how do we make adoption
[05:55.100 --> 06:00.380]  of vulnerability disclosure programs and the implementation of policy, specifically for 2020,
[06:00.380 --> 06:05.400]  with all of the, you know, unique considerations this year has, how do we make that as easy as
[06:05.400 --> 06:12.820]  possible for the states and counties? So we updated a version of the language on disclose.io,
[06:12.820 --> 06:18.880]  which is an open source initiative to basically make it easy and make it as standardized as
[06:18.880 --> 06:24.660]  possible. That came out after the talk, and it's been good. I think, you know, at the very least,
[06:24.660 --> 06:29.660]  that's actually served to get a lot more people thinking about doing that, that maybe weren't
[06:29.660 --> 06:34.140]  before, because that kind of blocking function of how do I even engage with the hacker community
[06:34.140 --> 06:37.680]  in the first place was, I think, pretty difficult for a lot of people to even consider.
[06:37.680 --> 06:43.180]  Early to echo, yeah, Casey's point there, I think, yeah, something I've been involved with and
[06:43.180 --> 06:51.180]  pushing for is states and vendors to establish these vulnerability disclosure policies.
[06:51.180 --> 06:57.320]  On the CISA side, we are releasing guidance to election officials in order to establish
[06:57.320 --> 07:02.360]  vulnerability disclosure policies, essentially saying, if you want to do this, this is the best
[07:02.360 --> 07:08.320]  practices that you can follow. A lot of that is drawn from CISA's directive, the Binding
[07:08.320 --> 07:13.740]  Operational Directive 2001, which is a draft directive that will require all federal agencies
[07:13.740 --> 07:18.220]  to start a vulnerability disclosure policy. Yeah, that was a good deal, by the way.
[07:18.740 --> 07:23.420]  Yeah, I think, yeah, really looking forward to see that come out and see the positive security
[07:23.420 --> 07:28.140]  effects that can have all across the federal government. But of course, CISA doesn't have
[07:28.140 --> 07:34.280]  that same authority over states. So we're essentially putting out guidance, giving them
[07:34.280 --> 07:39.980]  the best practices and the resources they need to start this themselves if they want that.
[07:40.060 --> 07:46.340]  And then, of course, yeah, besides that, just phone work I've been doing, yeah,
[07:46.960 --> 07:51.260]  clearly I'm not at the local level, but the federal level. And I think that there's really
[07:51.380 --> 07:57.000]  a lot of ability there to kind of have an impact at scale of working with all 50 states,
[07:57.000 --> 08:04.180]  working with a significant portion of the localities of the counties that are out there.
[08:04.240 --> 08:09.320]  So I think that's a really great opportunity to be at CISA and have this kind of wide-ranging
[08:09.320 --> 08:14.680]  effort, wide-ranging effects that I'm not sure you can have anywhere else with election security.
[08:14.680 --> 08:21.660]  Kimber? Yeah, I'll jump in. It works out well since Jack touched on Casey's point. I'm going
[08:21.660 --> 08:27.080]  to touch on Todd's point. The prompt was, you know, what's happened since February?
[08:27.340 --> 08:35.600]  And the answer is a pandemic. So the reality of a lot of the election security
[08:36.220 --> 08:40.340]  things that we would normally talk about and that we will touch on today
[08:41.120 --> 08:46.920]  still rely on people being able to actually get to the polls to vote in states that aren't going
[08:46.920 --> 08:55.520]  to allow mail-in ballots. So I think it'll be a nice segue into a lot of the misinformation
[08:55.520 --> 09:02.680]  we're hearing about mail-in ballots. But to Todd's point, we can scream to the skies that
[09:02.680 --> 09:10.320]  mail-in ballots are perfectly safe and reasonable and actually help disenfranchise voters however
[09:10.320 --> 09:16.100]  voice. But there are going to be some places that insist that folks go to the polls and somebody's
[09:16.100 --> 09:22.860]  got to be there to man the polls or we're going to end up in a different type of disenfranchisement,
[09:22.860 --> 09:29.100]  right, where people are lined up for 20 hours because there's three poll workers, you know,
[09:29.100 --> 09:36.200]  for thousands of people who want to vote. So it's important to know what's going on in your
[09:36.200 --> 09:43.420]  voting district and if your voting district allows mail-in voting, great, cool. But if they don't,
[09:43.420 --> 09:49.080]  like, that's a perfect opportunity to get involved. And I understand that it's asking
[09:49.080 --> 09:56.060]  you to put yourself at risk, too, and that sucks, right? It is, yeah. That's where we're at. I am shocked.
[09:56.060 --> 10:03.140]  I had a COVID test about four days after election day and I am shocked I did not come up
[10:03.140 --> 10:08.700]  positive. But hey, you know, turns out masks and hand cleaning and surface cleaning works, though.
[10:09.160 --> 10:12.680]  Yeah, you know, kind of the follow-up on this, too, is, I mean, obviously,
[10:13.320 --> 10:18.780]  the curveball that we're thrown was the pandemic and, you know, as Todd mentioned that, you know,
[10:18.780 --> 10:23.540]  primarily a lot of the election workers, you know, that were counted on by various precincts
[10:23.540 --> 10:29.220]  and states in general were retirees and those who, you know, I hate to say it, have more time
[10:29.220 --> 10:34.580]  on their hands. You know, this is obviously going to be proving a challenge for staffing and it
[10:34.580 --> 10:38.980]  runs headlong into the issues, you know, obviously some of the disinformation that's been spread about
[10:38.980 --> 10:44.380]  mail-in voting. You know, are there any particular ways that we can kind of mitigate or address any
[10:44.380 --> 10:49.760]  of these issues that are novel? Obviously, we're running, you know, headlong against, you know,
[10:49.760 --> 10:54.380]  people pushing back on the mail-ins, but then we have the reality of, you know, folks potentially
[10:54.380 --> 11:00.260]  exposing them to a deadly virus. I hate to run the gambit of talking about, like, e-voting,
[11:00.260 --> 11:05.940]  but obviously there are other ways to, you know, look at, you know, potentially extending voting
[11:05.940 --> 11:12.680]  times, alternating places where people can vote to reduce exposure. Are there any other, you know,
[11:12.680 --> 11:18.660]  methods that, you know, potentially the EAC and others can address in this case? In before
[11:18.660 --> 11:27.360]  blockchain? Yeah, I wasn't there. You have to drink now. So, I mean, e-voting is a non-starter,
[11:27.360 --> 11:34.480]  right? Like, we're recording this and it is today, 97 days, by the time this airs, it'll be about 90
[11:34.480 --> 11:42.600]  days before the election. And, you know, West Virginia is doing their thing and good for them,
[11:42.600 --> 11:48.080]  but no one else is. I don't see anybody having any plans for that right now.
[11:48.660 --> 11:54.880]  Maybe someday in the future, you know, e-voting will be a thing, but I don't, I don't, I think
[11:54.880 --> 12:00.520]  the easiest way to get people to the polls in states that don't have mail-in ballots is
[12:00.520 --> 12:07.800]  extending, you know, early voting. I mean, that's a thing. Texas, I'm in Texas right now, so great, Texas.
[12:08.240 --> 12:12.580]  We're bad at mail-in ballots, but we're apparently really good at early voting.
[12:12.580 --> 12:18.920]  My voting, my first day to vote in November will be October 13th, so that's a stupendous amount
[12:18.920 --> 12:24.880]  of time, way longer. And so that'll be, that will help at least give people an opportunity to get
[12:24.880 --> 12:29.160]  into a polling place where maybe it's not so crowded. Last day of early voting is super crowded
[12:29.160 --> 12:35.600]  and election day will be super crowded. So, you know, if you can vote in that early voting period,
[12:35.600 --> 12:41.800]  I strongly suggest you do. That, you know, it doesn't help any of the I.T. problems that we
[12:41.800 --> 12:47.680]  talk about and that nominally this panel is supposed to be about, but it does help the, like,
[12:47.680 --> 12:54.700]  not getting COVID. So, which, you know, might be a little more important. Amber? I want to, plus
[12:54.700 --> 13:04.640]  one to the adding more polling places because we know social distancing is huge to prevent the
[13:04.640 --> 13:11.140]  spread of COVID. When we have communities like mine where there's one polling place downtown
[13:11.140 --> 13:17.580]  and then one local school, then we have basically the town split in half to go to these two polling
[13:17.580 --> 13:25.920]  places and it gets kind of crazy. Holding people to districts, we see some gerrymandering, right?
[13:25.920 --> 13:30.900]  They'll draw a line right through the middle of the university so that half the university
[13:30.900 --> 13:37.080]  students think that they're supposed to vote at one place and it's really the other. So, you know,
[13:37.800 --> 13:43.860]  if they're going to say no mail-in ballots, then why not say, but all the schools in a single
[13:43.860 --> 13:47.200]  district can vote and if you're eligible to vote in one, you can vote in any of them
[13:47.200 --> 13:55.720]  so that folks can at least get to the closest, you know, place. And we do our best to, like,
[13:55.720 --> 14:01.640]  disperse the population, but a lot of towns have a couple polling places. They're almost always
[14:01.640 --> 14:09.700]  schools, which who knows if schools will even be open, but if they are, you sure don't want to have
[14:10.420 --> 14:14.420]  a hundred thousand people rolling through a school that children are going to be at the next day,
[14:14.420 --> 14:21.260]  right? Like, so there's physical considerations that certainly were not part of our equation
[14:22.040 --> 14:27.940]  in what, February 1st, when we jammed through all the things we think could go wrong.
[14:27.940 --> 14:36.360]  This was not on my bingo card. No, no, no. So the thing that's, to me, that's new
[14:37.220 --> 14:43.240]  is, and I've actually, I've heard Todd say this in a panel on this before, you know,
[14:43.240 --> 14:51.640]  democracy does rely on the peaceful concession of whoever loses. So the increased likelihood of a
[14:51.640 --> 14:58.440]  hanging count because of mail-in voting and the changes in the process and different things like
[14:58.440 --> 15:04.220]  that, I think there was a lot of conversation back in January and prior around the role of
[15:04.220 --> 15:12.980]  risk-limiting audits to basically, you know, say, no, this is not like any accusation of fraud can
[15:12.980 --> 15:19.040]  be basically confirmed or denied at that point. Projects, you know, to give a shout out to is
[15:19.040 --> 15:25.720]  Arlo. ARLO, which is essentially a framework for that, that I believe is funded by CISA
[15:26.440 --> 15:31.760]  and is open source. And something that I've been trying to encourage people in the security
[15:31.760 --> 15:37.360]  research community to do is to go bang on that, actually go look at it from a security standpoint,
[15:37.360 --> 15:42.820]  because ideally if there's any point in time over the next six months where Arlo itself gets
[15:42.820 --> 15:48.800]  called into question as a tool to rebuff, at least at that point we can say, no, we actually
[15:48.800 --> 15:54.680]  went through this and it seems legit. So that to me is new, like that was always going to be some,
[15:54.680 --> 16:00.340]  to some degree of risk, as it always is. But I think that's actually a far, that's going to play
[16:00.460 --> 16:05.320]  a far greater role actually post-election, on election day and post-election day in 2020.
[16:05.760 --> 16:11.300]  Yeah, I think they covered a little bit of that on the HBO special of Hari, as well as, you know,
[16:11.300 --> 16:16.220]  I think it was the second half of the documentary was regarding the risk-limiting audits. I don't
[16:16.220 --> 16:21.140]  know if they necessarily had a really good explanation of how it all works. That is a
[16:21.140 --> 16:25.780]  little extra math for most folks, but, you know, it's one of those good things that can be put in.
[16:25.780 --> 16:31.620]  I think, and looking at, looking at, so, you know, calling myself out as this was a theme,
[16:31.620 --> 16:38.960]  and the last time we got together as well, acronym, de-acronyming stuff. So risk-limiting
[16:38.960 --> 16:45.460]  audit is what RLA stands for. I think it's verified voting, who are running point on it,
[16:45.460 --> 16:51.960]  and they've done some pretty, I think, good work on explainer videos that take some, you know,
[16:51.960 --> 16:58.680]  fairly complicated math and kind of simplify the concept to the point where a non-technical
[16:58.680 --> 17:02.760]  potential voter can actually consume it and understand what's going on. It's essentially,
[17:03.680 --> 17:11.040]  you know, a cryptographically determined sample, random sample set that's then paired with
[17:11.040 --> 17:17.200]  verification of the outcome compared to what's recorded. And if there's any sort of deviational
[17:17.200 --> 17:21.440]  margin of error within that sample set, then it goes again and goes again and goes again until
[17:21.440 --> 17:26.620]  it can work out the scope of that. Or, you know, if everything checks out, then everything checks
[17:26.620 --> 17:31.960]  out and things are okay at that point. It's the randomization and the process around it that I
[17:31.960 --> 17:37.440]  think is, to your point, difficult to explain on a technical level to most people, but I think the
[17:37.440 --> 17:44.800]  concept itself is actually fairly easy to grow. Great. And just to kind of go back a little to
[17:44.800 --> 17:49.840]  our discussion on the different kinds of voting options that there are, it's clear that the
[17:49.840 --> 17:56.780]  election is going to be run a little differently this year. Just with the constraints we face,
[17:56.780 --> 18:02.700]  election officials have to provide an accessible and safe method of voting for their voters. And
[18:02.700 --> 18:07.820]  what this means is essentially from CISA's perspective, we want to limit the risk as much
[18:07.820 --> 18:12.940]  as possible with these options. So, for instance, talking about online voting, also called
[18:12.940 --> 18:18.540]  electronic ballot returns, CISA has assessed that that is high risk. Even with controls in place,
[18:18.540 --> 18:24.140]  the risk there still cannot be controlled. And it's not CISA's job to decide whether these are
[18:24.140 --> 18:30.820]  deployed, but it's our belief that the risk on these is much higher than, say, compared to in-person
[18:30.820 --> 18:36.620]  voting or mail-in ballots. So on that end, CISA has put out a series of documents essentially
[18:37.320 --> 18:44.800]  describing, from a procedural sense, what kinds of options election officials have,
[18:44.800 --> 18:50.580]  both to ensure safe in-person voting and then also to make sure that mail-in balloting process
[18:50.580 --> 18:58.440]  goes smoothly. And just to touch on some of the in-person voting options there, it is very true,
[18:58.840 --> 19:03.800]  like Todd was saying, that the truth is a lot of these poll workers are older and they face
[19:04.220 --> 19:10.020]  a higher risk of being impacted by the virus. So there's going to be very high poll worker
[19:10.020 --> 19:15.360]  shortages. And in a lot of cases, that means consolidation of polling places because they
[19:15.360 --> 19:20.500]  can't staff that many. And that, of course, can lead to problems because then you have more people
[19:20.500 --> 19:27.580]  in fewer places. With a pandemic, that's, of course, not ideal. But we have to make it work.
[19:27.580 --> 19:34.780]  So one option there is vote centers, for instance, where larger physical polling places that make it
[19:34.780 --> 19:41.400]  easier to maintain physical distance. There's, of course, still a polling shortage. I guess here
[19:41.400 --> 19:46.760]  I'll say to everyone who is young and healthy, the best thing you can do is serve as a poll worker
[19:46.760 --> 19:53.180]  and make sure that on a local level your elections run smoothly. But yes, it is going to be a
[19:53.180 --> 20:00.100]  challenge just because, yeah, of course, in-person voting carries some risks with it from a health
[20:00.100 --> 20:07.960]  perspective. So we encourage states to make the decisions that best fit them. But both mail
[20:07.960 --> 20:14.200]  invalidating and in-person voting we view as being low-risk options given that there's a paper trail
[20:14.780 --> 20:19.800]  and you can run, say, risk-only audits on those. Well, so I'm going to take kind of a little bit
[20:19.800 --> 20:24.240]  of a left turn. I know, you know, we just full transparency for folks who are watching this,
[20:24.240 --> 20:27.440]  like we have a list of questions that we've agreed on, but I'm going to kind of combine
[20:27.440 --> 20:32.500]  this because of the way the flow is. You know, one of the things that's amazing about, like,
[20:32.500 --> 20:37.340]  where we live, we're in the United States here, and Casey accepted, but yeah, we will adopt you
[20:37.340 --> 20:42.160]  on this one. Most of the time. You know, is the freedom of speech, you know, it's part of the
[20:42.160 --> 20:48.360]  our own constitution and whatnot. But, you know, as we mentioned in February, you know, one of the
[20:48.360 --> 20:54.260]  critical things about this election is how we talk about it, whether it be through discourse
[20:54.260 --> 21:01.060]  about outcomes, whether it be the primaries or the general election, the methodologies we use
[21:01.060 --> 21:07.000]  to do that. So we, you know, talk about the press about, like, how things have gone, the process of,
[21:07.000 --> 21:11.980]  you know, how we go about voting. But also, you know, it's another thing called disinformation
[21:11.980 --> 21:21.060]  or misinformation where, you know, what we talk about is willingly bad, essentially not right
[21:21.060 --> 21:28.320]  when fact-checked, or in some cases, is disinformation provided by an actual entity.
[21:28.320 --> 21:35.840]  I know, you know, with the 2016 and earlier, the recent, the midterms, we had influence from
[21:35.840 --> 21:41.720]  outside sources. And obviously, you know, Washington Post just recently kind of covered
[21:41.720 --> 21:46.780]  that we're potentially seeing some influence from China and Iran and some of our other,
[21:46.780 --> 21:51.500]  you know, would classically qualify them as adversaries, but yet we still find some ways
[21:51.500 --> 21:56.500]  to deal with them. You know, where do we kind of find ourselves in this case right now? Obviously,
[21:56.500 --> 22:01.260]  you know, six months later, you know, we had a little bit of a kind of, I wouldn't say necessarily
[22:01.260 --> 22:08.060]  contentious Democratic primary, but, you know, it was a lot more graceful when people, you know,
[22:08.600 --> 22:14.160]  basically, you know, said, yeah, I'm out, and let people carry forward. But also, you know,
[22:14.160 --> 22:20.400]  in recent news about how people are talking about, you know, the legitimacy of the methods that we're
[22:20.400 --> 22:25.940]  using, where do you kind of see ourselves now? And what can we do in the future here,
[22:25.940 --> 22:32.620]  as folks who are attendees to this video, but also, you know, as responsible citizens to kind
[22:32.620 --> 22:37.340]  of educate others, your parents, your friends, your peers, your neighbors, and so forth to
[22:37.340 --> 22:48.900]  be on the lookout for this? I'll rush into the fire. I think an interesting thing that I've seen
[22:48.900 --> 22:56.900]  is that, yes, when we did our panel back in early February, which seems like so long ago now,
[22:56.900 --> 23:04.720]  I think that we could pretty clearly say, like, Russia. We're seeing the Twitter bots,
[23:04.720 --> 23:11.380]  the farms, we're seeing, like, the disinformation campaigns on Facebook, Twitter, IG.
[23:12.140 --> 23:20.400]  Now, it's much more complicated. So, the interesting thing that we've seen now are,
[23:20.400 --> 23:27.560]  well, I feel like it's interesting, because I'm a, you know, social media nerd. The QAnon accounts
[23:27.560 --> 23:35.300]  that have popped up seem to span the gamut of countries. And you see a lot of activity from
[23:35.300 --> 23:42.000]  these QAnon accounts just coming from the U.S. And they're not, like, some, you know, complex,
[23:42.860 --> 23:49.280]  combative nation state, right? They're from just, like, diehard MAGA people who are like,
[23:49.280 --> 23:54.560]  I'm going to do my duty, and this is patriotic, and they are figuring out how to spin up bots.
[23:54.560 --> 23:58.980]  And so, that's pretty interesting. And then to see
[24:01.180 --> 24:09.680]  bots that will respond to Trump accounts, right? Or the interesting thing that I see a lot, too,
[24:09.680 --> 24:16.140]  are accounts that get a lot of followers because they'll post pornography, right? And then they
[24:16.140 --> 24:22.000]  get, like, loads of followers. And then they get verified in some cases. And then as soon as they
[24:22.000 --> 24:27.660]  get the checkmark, they switch to, like, QAnon accounts that have given themselves some name
[24:27.660 --> 24:32.080]  that you can recognize in the media. And all of a sudden, you think you're engaging with someone
[24:32.080 --> 24:37.520]  that you're not engaging with. But what that does is have this, like, celebrity or verified
[24:38.740 --> 24:47.940]  boost of this misinformation. So, for me, as a person who has a blue checkmark,
[24:47.940 --> 24:54.360]  I want to say, I don't know anything. I'm not an expert on any fucking thing.
[24:54.360 --> 24:59.040]  And I'm going to tell you flat out that, like, you'd be hard-pressed to find a blue checkmark
[24:59.040 --> 25:06.300]  that is an expert on everything. So, if someone gets their blue checkmark for being an actress,
[25:06.300 --> 25:12.960]  like, maybe don't just immediately trust that they're an expert on vaccination protocol, right?
[25:12.960 --> 25:21.120]  So, I think that it's really fascinating how the floods are coming and the stuff that Cambridge
[25:21.120 --> 25:28.720]  Analytica did, it's all still happening under a different name, a different company,
[25:28.720 --> 25:34.900]  but it's all still out there on Facebook and Twitter. It's just, like, now more people from
[25:34.900 --> 25:40.820]  different countries, including our own, are able to participate in the disinformation process.
[25:41.240 --> 25:48.060]  Yeah, I'll tag in on that. Just confirm what you're saying, like, the QAnon stuff and things
[25:48.060 --> 25:55.280]  of that nature, they're happening on the ground here in Australia. I think for, you know,
[25:55.280 --> 26:01.200]  for ostensibly different reasons from a partisan political standpoint, but it's kind of coming from
[26:01.200 --> 26:09.240]  the same mindset. And I think in part, like, we're all going a bit stir-crazy right now. It's good
[26:09.240 --> 26:14.800]  not to ignore the fact that society just in general is dealing with mental stress that we've
[26:14.800 --> 26:20.880]  not seen collectively for as long as Twitter's been around, definitely. So weird shit happens.
[26:21.720 --> 26:26.620]  But yeah, there's that piece of it. I think, Kimber, you touched on a really good point. I
[26:26.620 --> 26:34.560]  actually got invited to talk about disinformation on a friend who has a cooking channel. She's got,
[26:34.560 --> 26:42.200]  like, millions and millions of subscribers, but she saw basically bot, like, advertising-focused
[26:42.200 --> 26:49.180]  bot-generated content, ripping off her stuff, and then noticed that there was subversion starting
[26:49.180 --> 26:55.240]  to creep into that, and then the ability for that type of channel to be used. That's so crazy.
[26:55.680 --> 27:00.500]  It's nuts, man. And I'm like, what am I doing on a cooking channel? This is crazy. No, they have an
[27:00.500 --> 27:07.940]  entire channel on this, like, basically debunking some of these bots or the content farms.
[27:08.380 --> 27:14.340]  So it's a real thing, and I think the ability for that sort of thing to be deployed very rapidly,
[27:14.340 --> 27:19.900]  because these are businesses. It's businesses that exploit the things that are exploitable to
[27:19.900 --> 27:23.640]  build following on social media in some of the ways that Kimber just described, but then they
[27:23.640 --> 27:29.760]  sell that or rent that, or if they're owned, you know, potentially by, you know, an actor that can
[27:29.760 --> 27:34.260]  go hostile, it's redeployed into that. And that's happening across all sorts of different channels.
[27:34.260 --> 27:39.880]  The one you asked, Amelie, about, you know, things that we can do. I think something that
[27:39.880 --> 27:48.500]  we can all agree on. The great hack, for example, just as a, you know, a way to get people that
[27:48.500 --> 27:54.260]  aren't necessarily technical in a context that's apolitical. So you're not sort of going one way
[27:54.260 --> 27:58.860]  or the other too much. You're just explaining to them this general idea that, like, social media
[27:58.860 --> 28:05.260]  is a constructed reality that's been built just for you. And you actually need to be
[28:05.260 --> 28:10.180]  observing it like that. I think, you know, for the hackers that are kind of watching this,
[28:10.180 --> 28:13.680]  that's probably a thesis and something that's important that we could all agree on.
[28:13.680 --> 28:18.620]  And I found that to be fairly helpful. Great. And just to talk briefly on foreign
[28:18.620 --> 28:24.920]  disinformation, of course, that's a very large concern. We've seen in 2016 what happened,
[28:24.920 --> 28:30.180]  and in 2020, it seems to be shaping up again. We know, yes, our nation's adversaries, Russia,
[28:30.180 --> 28:35.360]  Trump, China, Iran, are all targeting, trying to interfere in our democratic processes.
[28:35.620 --> 28:40.460]  So from CIS's perspective, our number one priority is to ensure that Americans decide
[28:40.460 --> 28:47.700]  American elections. So that means ensuring that foreign adversaries are not able to interfere,
[28:47.700 --> 28:53.700]  whether that's by actually targeting election systems, whether that's disinformation campaigns,
[28:53.700 --> 29:00.220]  all that. It should be Americans who are deciding American elections. So that kind of
[29:00.220 --> 29:05.780]  leads us to the point, then, what steps can Americans take to mitigate the impact, say,
[29:05.780 --> 29:12.920]  of disinformation or just general confusion, say, on election night? I think the most important
[29:12.920 --> 29:17.400]  thing here is just to understand that elections are going to be different this year. Election
[29:17.400 --> 29:23.300]  night, November 3rd, is not going to be the same as election night in the past, because with many
[29:23.300 --> 29:29.480]  more mail-in ballots, they're going to take much longer to count, just due to state laws and
[29:29.480 --> 29:35.900]  processes around that, as well as just technical constraints, since some states are rapidly
[29:35.900 --> 29:41.660]  scaling out mail-in ballots at a scale that is maybe tenfold from what they previously had
[29:41.660 --> 29:49.660]  operated. So with that perspective, election night, it is entirely possible that it just isn't
[29:49.660 --> 29:55.060]  what the election results are. And it may take a week, it may take several weeks to actually
[29:55.060 --> 30:00.440]  learn what the final results are. So the best thing that Americans do is to just internalize
[30:00.440 --> 30:06.020]  this to understand that election results are not going to come out immediately. Media has
[30:06.020 --> 30:11.340]  an important role in this, that it can't just be election night, the final results, declare who won,
[30:11.340 --> 30:17.320]  because we have to acknowledge that might not be the case. So I think that if we all are on the
[30:17.320 --> 30:23.120]  same page, expecting this to be a slower process, and keeping in mind that a slower process means
[30:23.120 --> 30:28.640]  that there's more time to actually verify that results are correct, and to ensure that
[30:30.020 --> 30:35.960]  the final count is ultimately the right one. So I think just understanding that patience is
[30:35.960 --> 30:41.520]  needed here, and that election night, not going to know who won, may take some time,
[30:41.520 --> 30:45.360]  but we'll get there, and we can be confident then in the outcome of the election. That's
[30:45.360 --> 30:50.360]  the important thing. Yeah, and just to follow up on what Jack said, is like, election night is not
[30:51.100 --> 30:58.020]  the end of this, right? Like, for starters, like any kind of disinformation campaign that we've been
[30:58.020 --> 31:02.920]  talking about, that's going to happen way before election day. Like I mentioned, I get to vote on
[31:02.920 --> 31:09.620]  October 13th, so, you know, look for something exciting happening around, I don't know, first or
[31:09.620 --> 31:19.720]  second week of October. Almost, like, that's the time when your fear ganglia should flare up
[31:19.720 --> 31:25.760]  around what's going to be happening around disinformation. And just one other
[31:25.760 --> 31:32.920]  super quick point, Jack is also totally correct that I would be shocked if we had results
[31:32.920 --> 31:36.800]  election night. Now, it doesn't mean it's the end of democracy. Like, there will not be rioting in
[31:36.800 --> 31:41.560]  the streets over this. We've done this before. Like, the 2000... some people on this call are old
[31:41.560 --> 31:47.220]  enough to remember the 2000 election. And we remember that, like, that was weeks and weeks
[31:47.220 --> 31:54.320]  and weeks of will they, won't they, which ended up in the Supreme Court decision. So, like, that did
[31:54.320 --> 32:00.980]  not destroy America. And not having election results at, you know, 1am on November 4th is not
[32:00.980 --> 32:06.060]  going to, it's not going to kill everybody. Like, we'll be fine. We'll be fine. Yeah, that does bring
[32:06.060 --> 32:09.920]  up a good point, you know, or subsequent question here, you know, it's kind of talking some of the
[32:09.920 --> 32:15.800]  logistical errors. You know, just to put on an election is not as easy as everybody kind of
[32:15.800 --> 32:19.740]  thinks. Like, you just go in there and pull the handle if you're a manual or you... It is way more
[32:19.740 --> 32:25.440]  complicated. It is way more complicated. I mean, you know, just watching Matt Blaze's Twitter feed
[32:25.440 --> 32:30.640]  sometimes and just how simplistic some of the suggestions are. And then, of course, Matt being
[32:30.640 --> 32:36.040]  Matt kind of fires back in Matt's way and whatnot. And that's not a knock on him. It's just a
[32:36.040 --> 32:42.080]  try to educate people that, yeah, this this shit ain't simple. You know, as much as I railed on my
[32:42.080 --> 32:46.360]  trip to the DMV recently, you know, I sat in the car and kind of pondered everything required to
[32:46.360 --> 32:51.680]  kind of make my trip better. And I'm just like, oh, my God, that's that's a lot to move. That's
[32:52.140 --> 32:57.280]  Sisyphean in a way. But, you know, obviously, one of our one of our bigger challenges, obviously,
[32:57.280 --> 33:04.520]  the thing that made the biggest press right after our February conclave here was the Iowa caucus.
[33:04.520 --> 33:09.740]  And I wrote a long paper on this about the whole DevOps process in regards to how it was developed.
[33:09.800 --> 33:14.460]  But, you know, the Iowa caucus with the Georgia primaries, which, you know, some would say was
[33:14.460 --> 33:21.160]  kind of a predictable outcome of, you know, what kind of a clusterfuck it would be. But, you know,
[33:21.160 --> 33:26.620]  that's the other the other issues underscore the potential about how trust is eroded through
[33:28.240 --> 33:33.800]  procedural process error by no fault or intent of the creator of that error. It was more or less
[33:33.800 --> 33:42.020]  like we're forging new areas of election things we can do and mistakes will be made. You know,
[33:42.020 --> 33:46.660]  there was no necessarily evidence when one looked at that, you know, interference necessarily
[33:46.660 --> 33:55.200]  occurred. But, you know, when you know, basically, these things that we do in so nice a word,
[33:55.200 --> 34:00.520]  shit the bed, you know, what are the different ways that we can as professionals in the security
[34:00.520 --> 34:06.400]  and election security arena kind of capture the discussion and say, you know, this shouldn't
[34:06.400 --> 34:15.860]  erode trust. This is us trying something new. Mistakes will be made. Morale will be, you know,
[34:15.860 --> 34:20.420]  lowered. But, you know, what are some things at the technical level to kind of, as I mentioned,
[34:20.420 --> 34:24.660]  you know, you have a lot of technical people that will swoop in and say, oh, we can fix this with
[34:24.660 --> 34:32.560]  blockchain, for instance, as Casey so lightly joked about. But, you know, what are some practical
[34:32.560 --> 34:38.040]  techniques we can have to kind of educate some people on like, no, no, no, this is a big ship
[34:38.040 --> 34:45.120]  to steer, you know, this is what you can expect and, you know, don't lose trust in this.
[34:45.920 --> 34:51.760]  Great. So first, just to really underscore the point that running elections is incredibly hard.
[34:51.760 --> 34:58.300]  There's so much more than just kind of from a voter's perspective showing up to, say, a polling
[34:58.300 --> 35:03.140]  place, casting your ballot. There's so much more that goes into this process. So many months of
[35:03.140 --> 35:09.060]  preparation. That's a difficult task. And every single election official I've talked to is
[35:09.060 --> 35:20.520]  incredibly motivated and wants to make sure that elections run smoothly and that their people can,
[35:21.160 --> 35:27.420]  so just thinking about going back to February, say, was already shaping up to be
[35:27.960 --> 35:32.460]  perhaps one of the hardest elections that an election official has had to run just because
[35:33.160 --> 35:38.840]  we are in an incredibly polarized environment. We know that there is foreign interference that
[35:38.840 --> 35:44.300]  occurred in 2016 and we can expect again in 2020. So even from that perspective,
[35:44.780 --> 35:49.960]  this was a hard task. And then you add the pandemic and everything becomes so much more
[35:49.960 --> 35:54.260]  complicated because suddenly we can't vote entirely in the same way as we're used to voting
[35:54.260 --> 36:00.600]  and all of these processes have to change. In a lot of cases, like I said, election officials now
[36:00.600 --> 36:07.820]  have to scale out mail-in ballots at 10 times the capacity. And when your machines process those,
[36:07.820 --> 36:13.300]  we're only intended to do, say, a small percentage of voters in your jurisdiction.
[36:13.320 --> 36:19.060]  From a technical perspective, that can be very difficult and things can break because we're
[36:19.060 --> 36:24.520]  rapidly scaling out these technologies and things can and likely will go wrong.
[36:25.560 --> 36:30.960]  So from that perspective, what should voters expect? So I said before, be patient. Election
[36:30.960 --> 36:35.980]  results may not come in immediately and that's fine. I think the second point there is really
[36:35.980 --> 36:43.360]  to expect things to go wrong, but don't immediately believe that that is a result of interference of
[36:43.360 --> 36:50.540]  any kind because the most likely explanation is that's just some routine error that occurred and
[36:50.540 --> 36:57.260]  that will be worked through. There's processes in place in order to handle these types of failures.
[36:57.260 --> 37:03.500]  We have, for the most part, paper trails that allow verifying elections. So from that perspective,
[37:03.500 --> 37:09.360]  we have controls in place. And yes, technology can be brittle and stuff can break down,
[37:09.360 --> 37:15.140]  but a lot of times just look for the most likely explanation that, of course,
[37:15.140 --> 37:21.480]  interference is still possible and we should be very concerned if that does happen.
[37:21.600 --> 37:29.080]  But just looking from kind of what is most likely to happen, it's more likely that, I mean, we can
[37:29.080 --> 37:33.460]  almost assume that some technical failure in some capacity will occur, but that doesn't mean that's
[37:33.460 --> 37:39.140]  malicious and the people just have to view it as that way and understand that there are still
[37:39.140 --> 37:44.500]  controls in place. Yeah, Occam's razor is good. I can't remember if it's Hanlon's razor or Occam's
[37:44.500 --> 37:53.080]  razor, but it's one of the razors. I think it's Hanlon's. Yeah, anyway. Yeah, well, simple ends
[37:53.080 --> 37:58.040]  malice. Anyway, whatever, because we can probably look that one up after the fact and I'm outing
[37:58.040 --> 38:05.620]  myself for not knowing which razor is which right now. I'd add to that, no new stuff in 2020, like
[38:05.620 --> 38:11.280]  timeout, you know, like there's a whole bunch of innovation happening in the election space,
[38:11.280 --> 38:15.040]  which I think is fantastic. And I think it's important. It's going to be critical
[38:16.000 --> 38:23.220]  after this is done. But, you know, the addition of variables, you know, the idea that
[38:24.100 --> 38:29.580]  there's like software fails, which is the second point I'm going to make, but like it's
[38:29.580 --> 38:35.500]  the failure rate of software is directly proportional to how quickly it's been brought
[38:35.500 --> 38:40.920]  to market and oftentimes how mature it is. So this idea of like, cool, let's just blast
[38:41.620 --> 38:45.260]  2020 with a whole bunch of brand new stuff that we haven't really tested. You know, ultimately,
[38:45.260 --> 38:50.740]  when you go back to Iowa and do a bit of a root cause analysis, that's sort of most of what
[38:50.740 --> 38:56.780]  happened there. It was less than six weeks of the analysis. Yeah. Yeah, it was. And it's logically
[38:56.780 --> 39:00.400]  what would happen again if we do it with other stuff. So no new stuff. But then this other idea
[39:00.400 --> 39:05.780]  of like software, you know, in terms of, again, coming back to how we can help, like humans aren't
[39:06.240 --> 39:12.520]  humans make mistakes, period. Like this is why, you know, we've got an industry is because,
[39:12.520 --> 39:16.680]  you know, while we come up with all these incredible ways to do stuff, including democracy
[39:16.680 --> 39:22.580]  itself, we do make the occasional spelling error. And then there's bad people that want to
[39:22.580 --> 39:27.560]  manipulate that to get what they want. So this idea of like to err is human, it's more about how
[39:27.560 --> 39:33.460]  you respond. Again, it's part of what I like so much about, you know, vulnerability disclosure
[39:34.400 --> 39:39.380]  as a process, but also as this like leading indicator of maturity when it comes to security
[39:39.380 --> 39:45.340]  of an organization that can translate to trust. I think that's a concept that isn't very well
[39:45.340 --> 39:50.920]  understood. And I think a lot of the time people, you know, on the operations side would prefer to
[39:50.920 --> 39:56.280]  do ostrich risk management and pretend it didn't exist. But I think it's going to become
[39:56.280 --> 40:02.440]  pretty important in context of all of the stuff that can and probably will go a bit funky this
[40:02.440 --> 40:11.900]  year. Casey, you have some of the best vuln disclosure jargon around. I've been practicing.
[40:11.900 --> 40:19.240]  Yeah, a little. Yeah, like I guess I would just say as technical people who are probably
[40:19.240 --> 40:25.220]  the only people watching this, you know, I think what you can you can do your part by
[40:25.760 --> 40:31.900]  not freaking the hell out when you see something that goes wrong. Like, you know, just to echo,
[40:31.900 --> 40:36.300]  you know, Jack and Casey, it's like it is it is a hand lens razor kind of thing. There will
[40:36.300 --> 40:42.880]  probably be mistakes. You know, I don't I don't think I would go so far as to say like it's super
[40:42.880 --> 40:47.380]  I've got the Metasploit shirt on. It's very hard for me to say like don't disclose vulnerabilities.
[40:48.100 --> 40:55.340]  But, you know, maybe not on Election Day and maybe not make a bunch of hay about like hackable
[40:55.340 --> 40:59.440]  voting machines. Like that is kind of the least of our worries. If all we had to worry about was
[40:59.660 --> 41:04.200]  a hackable voting machine like that physical device, boy, that would imply that we've fixed
[41:04.200 --> 41:11.000]  so many other problems in infrastructure, in disinformation, in everything up and down the
[41:11.000 --> 41:19.080]  line. So, you know, I would hope that, you know, the folks that work in the space who pay attention
[41:19.080 --> 41:27.100]  to things in Voting Village, you know, maybe not completely lose your cool over a, you know,
[41:27.280 --> 41:33.540]  a voting machine that can be hacked in person. So I'll do a quick response and I'm sure Amelie
[41:33.540 --> 41:40.140]  wants to move on. But this goes back to something that I said in February. And it's a recurring
[41:40.140 --> 41:45.300]  thing because I feel like I say it a lot. So if you've heard it before, suck it because I'm going
[41:45.300 --> 41:52.040]  to say it again. But the biggest disservice that we can do to the American people as security
[41:52.040 --> 41:58.400]  professionals is somehow convincing them that their votes don't count. And we do that by
[41:59.880 --> 42:05.280]  constantly preaching that the system's broken, the voting machines are hackable,
[42:05.280 --> 42:10.240]  the infrastructure's flawed, the voter registration system is, you know,
[42:10.240 --> 42:17.580]  something that can be tampered with. It's not to say these things aren't true. But also, like,
[42:17.580 --> 42:25.480]  you have to qualify those ramblings and announcements with how often that actually
[42:25.480 --> 42:33.040]  happens and what the likelihood of that happening actually is. And the idea that, you know,
[42:33.040 --> 42:38.720]  hacking 20 voting machines is going to sway an election without even, like,
[42:38.720 --> 42:45.580]  acknowledging what it would take to actually hack the voting machine, right? Or to tamper
[42:45.580 --> 42:52.100]  with the voter registration system without acknowledging that, like, you know, states do
[42:52.100 --> 42:57.620]  have some IDS systems in place. Like, sure, could it happen? Yeah, we can, like, what if all day
[42:57.620 --> 43:05.240]  long? But if we're, if we're putting information out there, that even makes one person think, well,
[43:05.240 --> 43:11.700]  my vote can just be changed anyway, so why would I bother voting? Like, then we've fucked up,
[43:11.700 --> 43:16.820]  like, bad, because we've kind of, we, like, shot ourselves in the foot with the thing that we were
[43:16.820 --> 43:22.720]  trying to make better. So we're now into Section B. So we've now pivoted from where we were six
[43:22.720 --> 43:28.320]  months ago to where we find ourselves in the last 90 days here. 90 days scares me, because,
[43:28.320 --> 43:32.700]  you know, coming from the federal government, it takes longer than that, mainly to fill out
[43:32.700 --> 43:37.980]  the paperwork for something. So 90 days for us in the real world, if in the commercial sector,
[43:37.980 --> 43:42.700]  will be totally interesting. But obviously, I'm going to highlight the fact that, you know,
[43:42.700 --> 43:49.020]  as Jack leveled up here, CISA has taken more of an active policy and assistance role for states.
[43:49.020 --> 43:55.260]  The Election Assistance Commission Committee has hired some really great new staff. In fact,
[43:55.260 --> 44:02.160]  some folks, I believe, Kimber and I were on the panel many years ago with, and, you know, the
[44:02.160 --> 44:07.140]  feeling that, while it's awesome, they hired these people. I don't know, I've tweeted out about it,
[44:07.140 --> 44:13.520]  it's a little too late in certain cases, but, you know, they hire great people. What is the
[44:13.520 --> 44:17.900]  feeling right now that these folks can actually make a difference between now and the election?
[44:17.900 --> 44:22.980]  Or, obviously, if we can't do it by then, what are the, what is the change that can be made
[44:23.580 --> 44:27.080]  for further elections, provided that the world isn't going to melt down?
[44:27.080 --> 44:33.000]  So yeah, I think, yeah, I can take this to start. Yeah, so it's true. Yes, CISA has brought on
[44:33.000 --> 44:39.040]  some more people to help out with election security. I'm part of a group of me and four
[44:39.040 --> 44:44.540]  other Stanford students who all came to CISA to work specifically on election security.
[44:44.540 --> 44:51.620]  And we've been having a lot of fun being able to work essentially on both the infrastructure
[44:51.620 --> 44:59.540]  component, building tools to allow organizations to better secure their systems, and allow CISA to
[44:59.540 --> 45:06.520]  say, aid and assessments to state and local election officials, as well as working on some
[45:06.520 --> 45:15.320]  that's a foreign disinformation component. So in terms of what both, say, CISA and EAC can do
[45:15.320 --> 45:21.720]  by November, I think there's a lot that can still be done. Of course, yes, we have, I believe,
[45:21.720 --> 45:27.260]  calculated this, I think it's 89 days from the time the talk this is airing until the election,
[45:27.260 --> 45:33.700]  and that's very little time, almost nothing, but we still can do a lot. We can help,
[45:34.200 --> 45:40.040]  say, states identify vulnerabilities in their systems. We continue to offer services that assess
[45:40.040 --> 45:46.240]  these systems and give guidance. I mentioned before, we have documents that we published
[45:46.240 --> 45:54.600]  along with the Election Assistance Commission, and we're working to support states in the capacity
[45:54.600 --> 46:02.020]  that we can. So I think that there's a lot that still, of course, needs to be improved,
[46:02.020 --> 46:08.880]  but we're getting there. And from my perspective, yes, the government plays a large role in this,
[46:08.880 --> 46:16.060]  the federal government. And I really do think that states, this is, I'd say, one of the major
[46:16.060 --> 46:21.160]  improvements since 2016. In 2016, the federal government's involvement with the states was
[46:21.160 --> 46:27.380]  not at all near where it was today. So much has improved since then that we are now working with
[46:27.380 --> 46:33.740]  each of the 50 states. We're working with a significant portion of the local election offices,
[46:33.740 --> 46:39.500]  and we're in a much better place, both to be protecting systems and then monitoring in case
[46:39.500 --> 46:47.280]  stuff does go wrong. So, you know, you speak to, obviously, kind of the involvement with CISA and,
[46:47.280 --> 46:52.220]  you know, kind of the states taking a more active role in their own survival in a way.
[46:52.220 --> 46:59.220]  You know, have any of the vendors, either of the e-poll books or the election systems,
[46:59.220 --> 47:05.940]  been more willing to kind of come forward and work proactively with the government or, you know,
[47:05.940 --> 47:10.620]  say any of the companies represented on here to kind of solve the problems? I know, you know,
[47:10.620 --> 47:16.740]  I've recently been involved with some workshopping with OECD on regards to vulnerability disclosure
[47:16.740 --> 47:23.840]  policies and digital product security. And one of those cases is finding a good mediator sometimes
[47:23.840 --> 47:29.600]  to kind of do that. Has anybody kind of moved that way, or are we still kind of like,
[47:29.600 --> 47:32.520]  you know, kind of finger pointing and moving forward there?
[47:32.520 --> 47:38.600]  So in terms of CISA's involvement with this, of course, CISA's preference is for vulnerabilities
[47:38.600 --> 47:44.800]  to be disclosed either directly to the state or to vendors when that is possible. And it is our
[47:44.800 --> 47:49.300]  view that, of course, vulnerability disclosure policies can be very helpful in this process.
[47:49.620 --> 47:56.820]  I'm not aware of any vendors that at the time of recording, or states for that matter, that have
[47:56.820 --> 48:02.120]  come up with vulnerability disclosure policies that could very well change between the two weeks
[48:02.120 --> 48:08.340]  when this airs. But what we do offer is resources for those that want to implement vulnerability
[48:08.340 --> 48:13.540]  disclosure policies to do so. So like I mentioned, we have our guide on vulnerability disclosure that
[48:13.540 --> 48:23.220]  will be live by the time this panel airs, as well as the fact that we do serve as a last resort for
[48:23.220 --> 48:29.460]  people who are unable to disclose vulnerabilities. For any reason, they can report it to US CERT,
[48:29.460 --> 48:36.600]  which is under CISA, and we will work to get that disclosed to the vendor in order to mitigate that
[48:36.600 --> 48:42.080]  vulnerability. So CISA does play an important role here. And yeah, it is our hope that
[48:43.820 --> 48:47.940]  of course, yes, that any vulnerabilities that either people come to vendors with,
[48:47.940 --> 48:53.360]  or come to us with, that they will be addressed. So I mean, and just to follow up on that, I mean,
[48:53.360 --> 48:59.280]  we're getting under the wire, at the wire, right, for the November 2020 election. If
[49:00.120 --> 49:06.440]  I were the king of vuln disclosure, I think I would direct people to disclose to you personally,
[49:07.420 --> 49:13.640]  and, you know, by extension to CISA, before vendors and states, like, I mean, I think that's
[49:13.640 --> 49:19.020]  kind of the way, like, let's say I'm sitting on a vulnerability, or I find a vulnerability in some
[49:19.020 --> 49:23.560]  election system or whatever, like, and I'm a, I'm a hacker guy, who wears bedspread to do this.
[49:24.480 --> 49:29.940]  Like, I have it, I don't want to not tell anyone about it, you know, there is this, like,
[49:29.940 --> 49:34.520]  it's okay to yell fire in a credit theater, if the theater is actually a fire business.
[49:34.520 --> 49:40.240]  Um, I think it's, it's probably not great to, like, drop that on Twitter and just full disclose
[49:40.240 --> 49:46.500]  and do that. I mean, that's not helpful, I don't think in, in, in the slightest. But I do think,
[49:46.500 --> 49:52.660]  like, you tell me, like, I, my, my instinct is, you know, tell CISA and hope for the best,
[49:52.660 --> 49:59.300]  and keep my mouth shut until November, I don't know, 10th, 15th or something. You know, so at
[49:59.300 --> 50:05.540]  least this is where they can do, I'm describing your job at you. Yeah, you can do instrumentation,
[50:05.540 --> 50:11.680]  right? Like, so even if there's no fixes, there's still ways to, to track the vulnerability.
[50:11.780 --> 50:16.200]  Yeah, yeah. And you're exactly right there that yes, the priority is for the vulnerability to
[50:16.200 --> 50:23.760]  get fixed as quickly as possible. And we want to support whatever will make that happen
[50:24.320 --> 50:30.260]  as efficiently and smoothly. So of course, it's ideal if it is possible to disclose directly to
[50:30.260 --> 50:40.960]  vendors, but that is hard when there are no policies today. Yes, exactly. So given that,
[50:40.960 --> 50:46.840]  yeah, the current landscape, yes, CISA does serve as a coordinating role there. For people who,
[50:46.840 --> 50:52.420]  yeah, can't really find the contact to disclose, they can come to CISA and CISA will work to make
[50:52.420 --> 50:57.060]  sure that the vendor or the state is made aware and that the vulnerability can be fixed.
[50:57.280 --> 51:02.380]  Yeah, I mean, hard, hard agree with, with Todd's suggestion of going to CISA, especially at this
[51:02.380 --> 51:09.540]  point. You know, keeping in mind as well that like with the 90 day kind of lead time that we've got,
[51:09.540 --> 51:15.780]  the vendors are very likely to be distracted and have lots of other things on their plate,
[51:15.780 --> 51:20.500]  just from a pure logistical standpoint, before you go layering on the pandemic and the fact that
[51:20.500 --> 51:28.800]  2020 is generally a bit of a shit show. Yeah, the thing that I wanted to double click on
[51:29.580 --> 51:35.800]  is actually around basically non-disclosure of findings ahead of November at this point. And
[51:35.800 --> 51:44.220]  this is very much opposed to how I normally talk about non-disclosure. Yeah, it's really,
[51:44.220 --> 51:47.900]  it's a really, it's a really difficult thing to say. We actually talked about this in terms of
[51:47.900 --> 51:53.560]  the boilerplate election policy that we put up on Disclose.io. And we've got it in there. It's
[51:53.560 --> 51:59.620]  like, you know, basically the agreement is not to disclose until after the election is finished.
[52:00.280 --> 52:05.660]  Ordinarily, that timeline would serve as back pressure on the vendors to fix. And I think
[52:05.660 --> 52:10.840]  that's a really good and important thing for accountability and transparency. But the risk of
[52:10.840 --> 52:15.100]  frightening a non-technical voter into just giving up and not showing up to the poll booth
[52:15.100 --> 52:21.100]  as a product of trying to do something good, I think is extremely high on this particular topic
[52:21.100 --> 52:26.420]  at this particular point in time. So yeah, it's a hard pill to swallow. I think for security
[52:26.420 --> 52:31.200]  researchers in general, it was definitely, you know, from where I, from what we do and
[52:31.200 --> 52:34.640]  where I sit, it's a hard thing to say, but I actually do think it's the right thing for this
[52:34.640 --> 52:39.540]  year. Yeah. Yeah, I know. That's one of those things we've kind of, you know, as I mentioned
[52:39.540 --> 52:43.020]  with some of the policymaking, you know, obviously federal, international and whatnot.
[52:43.020 --> 52:46.700]  You know, we've set the, I wouldn't say necessarily artificial 90 day deadline,
[52:46.700 --> 52:53.020]  but obviously for inside the 90 days, it does kind of create an unworkable framework with both
[52:53.020 --> 52:58.140]  in the timing, I think the regulatory environment for whatever folks need to do for certifications,
[52:58.140 --> 53:02.140]  plus loading all the election information and the logistics of that. So, you know,
[53:02.140 --> 53:07.700]  it just creates this, this whirlwind of not a good situation for us to be in. So yeah.
[53:07.960 --> 53:12.080]  So yeah, we, we talked about this, you know, earlier in regards to kind of the effect that
[53:12.080 --> 53:20.020]  COVID-19 has had on how we staff the election, how we are attending the election and participating
[53:20.020 --> 53:26.380]  in it, obviously with retirees and whatnot. There is so much dumpster fires being poured
[53:26.380 --> 53:33.340]  into the alley right now. It's not even funny. And obviously with the disinformation and just
[53:33.340 --> 53:39.180]  all the stuff we talked about, if you were all betting people, and if we were in Las Vegas this
[53:39.180 --> 53:45.620]  year, instead of doing this virtual, what would you bet to be the first thing to crumble out of
[53:45.620 --> 53:50.300]  all of this? What do you think is the first thing that is just like, you know, the guy from Oz comes
[53:50.300 --> 53:56.740]  out behind the sheet and says, yep, everybody go home. We're fucked. If I was a gambling person,
[53:56.740 --> 54:04.840]  which I'm not, I think it would be if we're talking about the first thing to just go like
[54:04.840 --> 54:11.420]  shithouse on fire. What do we do? Is a bunch of maybe
[54:13.720 --> 54:22.380]  rebellious folks who would show up at polling places without masks and like fake cough and
[54:22.380 --> 54:29.360]  just make a big to do and just try to disrupt, you know, the peaceful line at the voting place,
[54:29.360 --> 54:37.340]  like, I think that, sure, I think we'll see people tweeting, oh, I got a mail-in ballot for my
[54:37.340 --> 54:42.940]  uncle who died last year, and then it gets 10,000 retweets and then somebody else tweets
[54:42.940 --> 54:50.440]  something similar. Like, I think we'll see that, but like just for shithouse election day, like,
[54:50.440 --> 54:56.080]  what are we going to see on the news? I think like polling places being disbanded for like
[54:56.080 --> 55:02.020]  civil unrest and not from the folks who are there just to vote peacefully.
[55:02.080 --> 55:06.780]  So this is starting to form like a John Carpenter movie in the worst way possible then.
[55:06.780 --> 55:15.000]  Well, I am a horror fan, so of course that's where I go. My hope is that people respect democracy,
[55:15.000 --> 55:20.060]  regardless of which side of the line you fall on, and just let people have their constitutional
[55:20.060 --> 55:28.240]  right to participate in the electoral process. However, I am currently disenchanted by the state
[55:28.240 --> 55:35.160]  of the country right now. I don't know. I think that your first sign of everything going to hell
[55:35.160 --> 55:40.760]  is going to be on like in the neighborhood of October 13th, October 14th. That's going to be
[55:40.760 --> 55:48.040]  where you have your last big push of whatever disinformation campaign is going on. I'm not a
[55:48.040 --> 55:54.020]  disinfo expert by any means, but if I were going to own stuff, I would definitely want to tell
[55:54.020 --> 56:00.120]  people. But like one of the tactics we've seen over and over again of people who are attacking
[56:00.120 --> 56:04.520]  election systems is that it's no good unless you tell people about it, unless you get noticed.
[56:04.520 --> 56:09.940]  And so you got to get noticed like early enough to sway elections, but not so early that,
[56:09.940 --> 56:16.360]  you know, there's enough from, you know, that Jack can fix it for us. So like October 15th,
[56:16.360 --> 56:20.960]  I think is the sweet spot for that. What is that? That's like Wednesday, I think, or Thursday.
[56:22.040 --> 56:28.620]  Non-Friday, non-Monday, early October, I would expect to see, I would expect to see big news to
[56:28.620 --> 56:32.800]  try to have that last push of, hey guys, don't bother voting.
[56:32.880 --> 56:38.500]  And you think that because that's when the mail-in voting window opens.
[56:38.500 --> 56:45.400]  That's when most states, in many states, absentee ballots are starting to get filled
[56:45.400 --> 56:51.000]  out then. Early voting starts then. And it's still early enough that you can make hay about it
[56:51.000 --> 56:59.080]  for the following two weeks. Like a losing side can call cyberfowl, pointing at that thing for,
[56:59.080 --> 57:03.180]  you know, and just eat up, eat up news for the rest of October.
[57:03.660 --> 57:09.880]  Just this is, you know, it's a bit personal, but it goes to one of the reasons that I'm not in the U.S.
[57:09.880 --> 57:16.840]  right now. I think, you know, we had the option to be near family and ride out the pandemic.
[57:16.980 --> 57:22.760]  You know, part of the concern that was in the back of my mind was how, you know, the
[57:22.760 --> 57:29.200]  potential for civil unrest and those sorts of things are amplified by the backdrop of the
[57:29.200 --> 57:35.840]  pandemic and economic depression, a lot of other stuff. So I think the number of things that are
[57:35.840 --> 57:42.660]  available for an actor to tweak on and the amount of leverage that's present, you know,
[57:43.120 --> 57:50.400]  as we do version two of this panel is radically different to what it was, you know, last time we
[57:50.400 --> 57:56.540]  got together and spoke. So, you know, from a mitigation standpoint, it really does come back,
[57:56.540 --> 58:01.420]  you know, for the typical audience of this panel in DEF CON is making sure that you're not
[58:01.420 --> 58:06.740]  adding to the problem. You know, the whole idea of, like, polarization, of just general
[58:07.500 --> 58:11.780]  distrust, like, nihilism, all of that sort of stuff. And I do believe, like, we are talking,
[58:11.780 --> 58:17.200]  you know, Armageddon-ish type stuff at the moment, but I do believe fundamentally in, like, working
[58:17.720 --> 58:23.180]  back from the worst case scenario and optimizing the critical path from there. So it's an important
[58:23.180 --> 58:29.900]  conversation to have. Yeah, that's a good segue into the last question we're going to do today.
[58:30.640 --> 58:37.920]  So, you know, obviously, we talked about mail-in voting as the next best mitigation for forcing
[58:37.920 --> 58:43.140]  people to kind of show up in person, and definitely a better alternative than, I'd say,
[58:43.140 --> 58:48.060]  any potential half-baked e-voting solution at the last minute that would come in and swoop.
[58:48.100 --> 58:53.920]  But obviously, with the rhetoric that's been, you know, spoken by various folks in the press
[58:53.920 --> 58:59.500]  from various levels of government and elsewhere about the validity and trustability of the
[58:59.500 --> 59:05.080]  Postal Service, as well as their own financial woes imposed upon them by Congress and pre-funding
[59:05.080 --> 59:09.880]  and so forth and so on, you know, it was just announced today that they had worked out a deal
[59:09.880 --> 59:16.300]  with a massive infusion slash loan from the U.S. Treasury. I think it was, like, 15 billion dollars,
[59:16.300 --> 59:21.840]  which is a huge chunk of change. It does keep people from necessarily having to rush out and,
[59:21.840 --> 59:27.680]  you know, running for stamps. But obviously, I have reports from some of the locals here in the
[59:27.680 --> 59:35.240]  D.C. area, specifically Baltimore, about potential fallout from the recent Postmaster General coming
[59:35.240 --> 59:41.000]  in and saying, please delay first-class mail. Obviously, that puts a downward pressure on
[59:41.000 --> 59:45.620]  delivery of mail-in voting, as well as, you know, returning that and making sure that everyone hits
[59:45.620 --> 59:52.460]  with the deadlines with the postmarks. So where we sit here is our last best effort to run a
[59:52.460 --> 59:56.920]  secure election as a Postal Service. It is in dire straits. It has potential leadership that is
[59:56.920 --> 01:00:04.560]  working antithetically against the essentially constitutionally or, you know, state that the,
[01:00:04.560 --> 01:00:09.840]  you know, the Postal Service exists in. You know, what are the last bits here that we can ensure
[01:00:09.840 --> 01:00:18.420]  that that is functioning for us to go forward? Are there ways that maybe we move up early voting
[01:00:18.420 --> 01:00:25.060]  even sooner so that we kind of play into the logistics of extended timelines? Is it write your
[01:00:25.060 --> 01:00:32.400]  senators and make sure that, you know, mail is delivered in a timely fashion? Or, you know,
[01:00:32.400 --> 01:00:37.200]  some other aspect of it, you know, with that, and especially, you know, as you mentioned earlier,
[01:00:37.200 --> 01:00:41.440]  too, I think it was Todd talking about the expected timelines being a lot longer for us to hear
[01:00:41.960 --> 01:00:47.860]  the outcomes. You know, if we have this extended timeline, what's our expectations to actually,
[01:00:47.860 --> 01:00:50.320]  you know, hear what the outcomes are going to be given this?
[01:00:50.320 --> 01:00:56.860]  It would be great if states would extend their deadlines. Like, I was shocked to see that Texas,
[01:00:56.860 --> 01:01:00.680]  for all the hand-wringing Texas has been doing about mail-in ballots and, like,
[01:01:00.680 --> 01:01:08.300]  trying to make that hard, the fact that Texas then turned around and extended early voting was
[01:01:08.300 --> 01:01:14.280]  was a sweet surprise. You know, I don't know. We do things randomly here in Texas. Some things are
[01:01:14.280 --> 01:01:20.420]  great. Some things are not so much. But I guess that's, I guess that's just here local in Texas.
[01:01:21.860 --> 01:01:28.300]  I don't know. Like, I feel like everyone should, you know, mentally hug a postal worker today.
[01:01:28.300 --> 01:01:32.380]  They do a lot of really hard work. A lot of people depend on them for a lot of things.
[01:01:33.500 --> 01:01:37.920]  You know, they are, in fact, constitutionally enshrined. It's an Article I power of Congress
[01:01:37.920 --> 01:01:49.360]  to establish the post office. And the fact that it became a target for disenfranchisement is just
[01:01:49.360 --> 01:01:57.640]  mind-boggling to me. But I think that we can all agree that the post office is kind of a wonderful
[01:01:57.640 --> 01:02:06.460]  Americanism, really. Like, it was a largely, this notion of a single stamp that carries something
[01:02:06.460 --> 01:02:11.580]  across the country. Like, that is, I'm not really sure. It might be an English thing. It might be a
[01:02:11.580 --> 01:02:21.080]  British thing. But one or the other, it's pretty great. So yeah, like, I mean, if you have the
[01:02:21.080 --> 01:02:27.540]  opportunity to vote absentee, absolutely do it. You know, absentee voting, you can get all nerdy
[01:02:27.540 --> 01:02:33.340]  about it and say, like, well, technically you're violating, like, the secrecy of the ballot by
[01:02:33.340 --> 01:02:36.640]  doing that because someone can watch you vote and direct you vote and see that you vote correctly
[01:02:36.640 --> 01:02:42.500]  and see that you put the thing in and mail it away. Like, but that's almost a, like, that is
[01:02:42.500 --> 01:02:49.500]  so low on my list of problems when it comes to democracy is vote selling. You know, if it turns
[01:02:49.500 --> 01:02:54.680]  out that's a big deal, great. Like, let's go tackle that. But it is, it is not, that has not been a
[01:02:54.680 --> 01:03:01.200]  problem since, like, the 19th century, so. Yeah, I want to say, too, we've seen
[01:03:02.880 --> 01:03:07.180]  the current administration, we've seen the current administration
[01:03:08.320 --> 01:03:15.420]  actively attack the Postal Service on social media. And so, you know, I would
[01:03:16.040 --> 01:03:23.220]  ask folks to understand that I don't think there was a long game there, but I don't think that
[01:03:23.220 --> 01:03:29.400]  it's going to be unreasonable to see more attacks on the Postal Service from the current
[01:03:29.400 --> 01:03:38.640]  administration. The unreliability, the conspiracies about deals with Amazon, and then how Jeff Bezos
[01:03:39.220 --> 01:03:44.920]  ties into Amazon, and then with the Clintons, like, there's a lot of, there's a lot of stuff
[01:03:44.920 --> 01:03:51.480]  to unpack there. But I would say, you know, at the end of the day, like, these are feds,
[01:03:51.480 --> 01:03:57.360]  these folks are feds, they took the same oath to the Constitution that other feds take. They're
[01:03:57.360 --> 01:04:05.320]  there to just do their jobs every day. And the idea that postal workers themselves would be
[01:04:05.320 --> 01:04:11.120]  tampering with mail-in ballots is just kind of ridiculous. And it's completely insane.
[01:04:11.120 --> 01:04:17.880]  It really is ridiculous. And, and if there were one, it's a blip on the radar if the numbers
[01:04:17.880 --> 01:04:24.800]  are out there of folks voting, right? So, so let's just keep it all in perspective. And to
[01:04:24.800 --> 01:04:31.360]  understand the importance of the Postal Service, when I was younger, the DMV test had a question
[01:04:31.360 --> 01:04:38.420]  that said, if you get to a four-way stop, and there's a fire truck, an ambulance, a police car,
[01:04:38.420 --> 01:04:44.160]  and a mail truck, who has the right of way? And everyone assumed, like, the ambulance or the fire
[01:04:44.160 --> 01:04:49.960]  truck, but it was, in fact, the mail truck, because they are protected under, you know, the,
[01:04:49.960 --> 01:04:55.760]  the guys of the federal government. Certainly mail truck wouldn't go first, but they could. And also,
[01:04:55.760 --> 01:05:00.040]  if you hit a mail truck, you get into a lot of trouble, too, because you've damaged federal
[01:05:00.040 --> 01:05:05.060]  property. So, you know, you probably don't want to go out and take your angst out on vandalizing
[01:05:05.060 --> 01:05:10.720]  mail trucks or bothering postal workers. So I just... That is a hot tip.
[01:05:11.360 --> 01:05:17.400]  I feel like... Robbing post offices used to be a hangin' crime. Yeah, well, they've also got that
[01:05:17.400 --> 01:05:21.500]  Crime a Day book that just came out from the Twitter feed. I would hope that there's a chapter
[01:05:21.500 --> 01:05:29.560]  in there about weird stuff like that. So, all right, then last thoughts on what we see as our
[01:05:29.560 --> 01:05:35.560]  future here. What you'll be doing, what you hope others will be doing, and then where do you hope
[01:05:35.560 --> 01:05:41.720]  we will be? I can go and take this first. So, yeah, nothing I'm gonna say here, really,
[01:05:41.720 --> 01:05:48.260]  is anything new, I would say, that I haven't said. But, yes, in terms of what I'm doing,
[01:05:48.260 --> 01:05:53.480]  what CIS is doing, we are going to be working through and after the election to support
[01:05:54.360 --> 01:05:59.660]  election offices at the state and local level to ensure that they have what they need from a
[01:05:59.660 --> 01:06:07.060]  security perspective. And we're committed to doing that. In terms of, I think, what's maybe
[01:06:07.060 --> 01:06:12.820]  more valuable is what people watching this, what steps they can take and what steps they can
[01:06:12.820 --> 01:06:19.660]  recommend others to take. And this goes back to the two points that you have to be patient and
[01:06:19.660 --> 01:06:24.400]  you have to expect that things may go wrong. But that doesn't necessarily mean there has been
[01:06:24.400 --> 01:06:30.440]  interference and that doesn't mean that the election is invalid. So, be patient. Do not
[01:06:30.440 --> 01:06:37.420]  assume that results will come out on election day. It may take some time, but have faith that
[01:06:37.420 --> 01:06:43.920]  election officials are doing their best to have an accurate result, that we have process in place,
[01:06:43.920 --> 01:06:52.120]  that if interference does occur, we can identify it. And just, yeah, ultimately the main thing is
[01:06:52.120 --> 01:06:59.140]  that the people of America need to have faith in their own elections and that can go away without
[01:06:59.140 --> 01:07:05.160]  any actual tampering occurring, without any interference. Just if the people do not believe
[01:07:05.160 --> 01:07:10.680]  that their result was valid, then the result is not valid. So, I think to everyone watching this,
[01:07:10.680 --> 01:07:17.660]  just to understand that what you believe happened matters and just to understand their process in
[01:07:17.660 --> 01:07:23.680]  place, their committed election officials, the federal government is here to support that process
[01:07:23.680 --> 01:07:30.400]  and, yeah, let's hope that we have a smooth, free, and fair election in November.
[01:07:33.360 --> 01:07:39.860]  Sure. So, I mean, I guess, like, to just kind of reiterate what, you know, everyone else says,
[01:07:39.860 --> 01:07:46.680]  like, you know, the best defense against any election shenanigans is voting and voting in
[01:07:46.680 --> 01:07:52.720]  numbers that are too hard to push one way or the other. If people go and they vote, especially
[01:07:52.720 --> 01:07:59.300]  people who have historically been disenfranchised or haven't felt the need to go vote, you know, it is
[01:08:00.040 --> 01:08:03.960]  here at every election, but this election is literally the most important election of your life
[01:08:03.960 --> 01:08:11.340]  so far. And so, go vote and hopefully if enough people do that, you know, any kind of shenanigans
[01:08:11.340 --> 01:08:17.860]  will be drowned out by the overwhelming signal that we have. Me personally, not only am I going
[01:08:17.860 --> 01:08:25.100]  to vote early, I'm very excited to do that, but I'll be working the polls. It's gonna be crazy.
[01:08:25.160 --> 01:08:30.340]  It'll be November and there will be no vaccine. And so, I will be doing a lot of cleaning and
[01:08:30.340 --> 01:08:37.660]  hoping that not too many polls close that day. You know, there were poll closures.
[01:08:37.660 --> 01:08:43.940]  In our last election here in Texas, there weren't any poll closures like on the day of.
[01:08:44.580 --> 01:08:48.340]  You know, people did show up. They got enough recruits to come and do the thing.
[01:08:48.340 --> 01:08:52.200]  I did have a couple poll workers not come to my polling place, but we had enough people to
[01:08:52.200 --> 01:09:00.160]  pull it off. So, hopefully that will remain the case, you know, but that's gonna be November.
[01:09:00.160 --> 01:09:06.240]  So, who knows like what the pandemic will bring us. If it becomes impossible to vote in person
[01:09:06.240 --> 01:09:11.940]  in any kind of crowded way, then, you know, we'll just have to deal with that as it comes. But
[01:09:13.480 --> 01:09:20.960]  if you have the bandwidth and the health to throw in for a, what is a super fun,
[01:09:20.960 --> 01:09:26.560]  sounds boring, but it's actually pretty fun, like 14-hour day, go with the polling place.
[01:09:26.780 --> 01:09:32.720]  I'll go next. You know, I will say that I'm very much looking forward to returning
[01:09:32.720 --> 01:09:39.640]  to the U.S. And this is honestly a part of that. So, again, on a, you know, speaking to the subject
[01:09:39.640 --> 01:09:43.980]  matter, but speaking to it from a very personal standpoint, it's like my adopted country is
[01:09:43.980 --> 01:09:50.240]  trying to figure all this stuff out. And I'm looking forward to being past it is something
[01:09:50.240 --> 01:09:57.040]  that, you know, it's heavy. It's everything. So, aside from that, practically, you know,
[01:09:57.560 --> 01:10:04.720]  for the hackers, find out where people are asking for help. Go help them. Like,
[01:10:04.720 --> 01:10:07.520]  look for the stuff that people have already volunteered. You know, the volunteering stuff
[01:10:07.520 --> 01:10:11.320]  that we talked about at the start, just to reiterate that. Some of that help might be IT.
[01:10:11.340 --> 01:10:14.680]  Go looking for it. See if you can find opportunities to provide your skills
[01:10:14.680 --> 01:10:21.000]  into those different areas. Help out on the open-source projects and some of the other
[01:10:21.000 --> 01:10:25.520]  things that are going on that have been volunteered. So, Arlo, we mentioned before,
[01:10:25.520 --> 01:10:30.620]  verified voting. It's up on GitHub. Go bang on the source code. And if it's legit, say so.
[01:10:30.760 --> 01:10:37.220]  If there's a problem, submit a PR. Help make it better. If these audits are a part of how we have
[01:10:38.080 --> 01:10:42.260]  a peaceful kind of acknowledgment of the count after the fact, then you'll have played a pretty
[01:10:42.260 --> 01:10:47.260]  big role in that, I think. And then, finally, you know, don't scare your grandma between now
[01:10:47.260 --> 01:10:53.440]  and November. If you're doing security research and you find something, you know, talk to Jack
[01:10:53.440 --> 01:10:58.080]  and the crew at CSIR and CERT. Try to talk to the vendor. Just be very mindful of the fact that
[01:10:58.080 --> 01:11:03.100]  dropping any kind of anything that looks like a vulnerability on the internet right now is
[01:11:03.520 --> 01:11:08.260]  highly, highly exploitable from actors, from a disinformation standpoint, and you don't want
[01:11:08.260 --> 01:11:12.960]  to be a part of the problem. Technically, over the last couple days, because July sucked when
[01:11:12.960 --> 01:11:18.660]  it came to VOMS, or at least people had to clean up after VOMS. So, let's make August better.
[01:11:19.960 --> 01:11:23.300]  It's DEF CON month, so the internet's on fire this month anyway, but
[01:11:23.300 --> 01:11:29.540]  maybe after that, I don't know. October, let October be quiet then, that's cool. Kimber, any last?
[01:11:33.020 --> 01:11:41.340]  It's unprecedented, so it's anyone's guess what actually happens on Election Day and
[01:11:41.880 --> 01:11:55.860]  the months following. Vote, just vote. Tell your friends, tell your family, vote. Vote safely.
[01:11:56.460 --> 01:12:03.880]  Vote mail-in if you can. If you pay attention, your state may have deadlines or your district on
[01:12:03.880 --> 01:12:08.880]  when you have to let them know that you're going to be voting by mail-in ballot.
[01:12:08.880 --> 01:12:14.640]  Some folks here didn't understand there was a two-part process to mail-in ballot. You had to
[01:12:14.640 --> 01:12:21.920]  request one to receive one. It didn't automatically get sent to you. So, just being aware of how your
[01:12:22.980 --> 01:12:28.580]  local districts work when it comes to mail-in ballots so that you can participate. And if you
[01:12:28.580 --> 01:12:34.900]  have to go to the polls, wear a mask, social distance if you can, and you don't have high-risk
[01:12:34.900 --> 01:12:41.060]  folks at home, volunteer at your local polling places and do what you can to make it safe for
[01:12:42.120 --> 01:12:46.940]  our most vulnerable populations to be able to get out and have their voices heard.
[01:12:48.300 --> 01:12:55.160]  Well, yeah, that's a great thing to end on. Obviously, I have a spouse who's immunocompromised,
[01:12:55.160 --> 01:13:04.700]  so I've preemptively requested a mail-in ballot. I know some states require an extenuating excuse
[01:13:04.700 --> 01:13:12.120]  in order to get an absentee ballot, so please check with your local officials on what you can
[01:13:12.120 --> 01:13:17.900]  do to do that. Obviously, you know, a safe and secure voting is important, but safe and secure
[01:13:17.900 --> 01:13:25.340]  also means individuals as well. With that, I'll close out our panel. I do appreciate Kimber, Jack,
[01:13:25.340 --> 01:13:30.800]  Casey, and Todd for joining us this evening for the recording. Again, this was the election
[01:13:30.800 --> 01:13:36.480]  security part two. The infrastructure strikes back. While I can't necessarily drop in some
[01:13:36.480 --> 01:13:42.440]  John Williams here, use your mind's eye as well as the Starfield background to kind of get it
[01:13:42.440 --> 01:13:49.760]  through. And hopefully, come November, we'll see what kind of shakes out. And geez, maybe next
[01:13:49.760 --> 01:13:54.260]  February we'll have a cleanup on this, maybe a part three. Hopefully, it doesn't end up with
[01:13:54.340 --> 01:13:59.340]  a bunch of Ewoks running around saying ugnug. But anyhow, once again, thank you very much and
[01:13:59.340 --> 01:14:01.140]  thank you for your time. Take care.
